- Product Updates
- Product Introduction
- Purchase Guide
- Getting Started
- Console Guide
- Console Overview
- Bucket Management
- Creating Buckets
- Deleting Buckets
- Querying Buckets
- Empty Buckets
- Setting Access Permission
- Setting Bucket Encryption
- Setting Hotlink Protection
- Setting Origin-Pull
- Setting Cross-Origin Access
- Setting Versioning
- Setting up a Static Website
- Setting Lifecycle
- Setting Logging
- Accessing Bucket List Using Sub-Account
- Enable Inventory Feature
- Adding Bucket Policies
- Domain Name Management
- Setting Bucket Tags
- Setting Cross-region Replication
- Enabling Global Acceleration
- Object Management
- Uploading Objects
- Downloading Objects
- Copying Objects
- Viewing Object Information
- Searching for Objects
- Direct Upload Archiving
- Modifying Storage Class
- Deleting File Fragments
- Setting Object Access Permission
- Setting Object Encryption
- Custom Headers
- Deleting Objects
- Restoring an Archived Object
- Folder Management
- Data Extraction
- Set object Tag
- Batch Operation
- Monitoring Reports
- Data Processing
- User Tools
- Best Practice
- Overview
- Access Control and Permission Management
- ACL Practices
- Cloud Access Management Practices
- Granting Sub-accounts Access to COS
- Cases of Permission Setting
- Guidelines on COS API Authorization Policies
- Temporary Key Security Guide for Frontend Direct Upload to COS
- Generating and Using Temporary Keys
- Grant Sub-account Permissions to Pull Tag List
- Granting Sub-account Under One Root Account Permission to Manipulate Buckets Under Another Root Account
- Performance Optimization
- Data Migration
- Accessing COS Using the AWS S3 SDK
- Data Disaster Recovery and Backup
- Direct Data Upload
- Domain Name Management Practice
- Data Security
- Data Verification
- Big Data Practice
- Serverless Architecture Practice
- Using COS in the Third-party Applications
- Developer Guide
- Creating Request
- Bucket
- Object
- Data Management
- Data Disaster Recovery
- Data Security
- Cloud Access Management (CAM)
- Batch Processing
- Monitoring and Alarming
- Global Acceleration
- API Documentation
- Overview
- Common Request Headers
- Common Response Headers
- Error Codes
- Request Signature
- Operation List
- Service APIs
- Bucket APIs
- Basic Operations
- Access Control List (acl)
- Cross-Origin Resource Sharing (cors)
- Lifecycle (lifecycle)
- Bucket policy(policy)
- Hotlink protection(referer)
- Tag (tagging)
- Static website(website)
- Bucket inventory(inventory)
- Versioning
- Cross-region Replication(replication)
- Log Management(logging)
- Bucket Encryption (encryption)
- Global Acceleration (Accelerate)
- Object APIs
- Batch Operation APIs
- SDK Documentation
- SDK Overview
- Android SDK
- C SDK
- C++ SDK
- .NET SDK
- Go SDK
- iOS SDK
- Java SDK
- JavaScript SDK
- Node.js SDK
- PHP SDK
- Python SDK
- Mini Program SDK
- Error Codes
- FAQs
- Service Level Agreement
- Glossary
- Product Updates
- Product Introduction
- Purchase Guide
- Getting Started
- Console Guide
- Console Overview
- Bucket Management
- Creating Buckets
- Deleting Buckets
- Querying Buckets
- Empty Buckets
- Setting Access Permission
- Setting Bucket Encryption
- Setting Hotlink Protection
- Setting Origin-Pull
- Setting Cross-Origin Access
- Setting Versioning
- Setting up a Static Website
- Setting Lifecycle
- Setting Logging
- Accessing Bucket List Using Sub-Account
- Enable Inventory Feature
- Adding Bucket Policies
- Domain Name Management
- Setting Bucket Tags
- Setting Cross-region Replication
- Enabling Global Acceleration
- Object Management
- Uploading Objects
- Downloading Objects
- Copying Objects
- Viewing Object Information
- Searching for Objects
- Direct Upload Archiving
- Modifying Storage Class
- Deleting File Fragments
- Setting Object Access Permission
- Setting Object Encryption
- Custom Headers
- Deleting Objects
- Restoring an Archived Object
- Folder Management
- Data Extraction
- Set object Tag
- Batch Operation
- Monitoring Reports
- Data Processing
- User Tools
- Best Practice
- Overview
- Access Control and Permission Management
- ACL Practices
- Cloud Access Management Practices
- Granting Sub-accounts Access to COS
- Cases of Permission Setting
- Guidelines on COS API Authorization Policies
- Temporary Key Security Guide for Frontend Direct Upload to COS
- Generating and Using Temporary Keys
- Grant Sub-account Permissions to Pull Tag List
- Granting Sub-account Under One Root Account Permission to Manipulate Buckets Under Another Root Account
- Performance Optimization
- Data Migration
- Accessing COS Using the AWS S3 SDK
- Data Disaster Recovery and Backup
- Direct Data Upload
- Domain Name Management Practice
- Data Security
- Data Verification
- Big Data Practice
- Serverless Architecture Practice
- Using COS in the Third-party Applications
- Developer Guide
- Creating Request
- Bucket
- Object
- Data Management
- Data Disaster Recovery
- Data Security
- Cloud Access Management (CAM)
- Batch Processing
- Monitoring and Alarming
- Global Acceleration
- API Documentation
- Overview
- Common Request Headers
- Common Response Headers
- Error Codes
- Request Signature
- Operation List
- Service APIs
- Bucket APIs
- Basic Operations
- Access Control List (acl)
- Cross-Origin Resource Sharing (cors)
- Lifecycle (lifecycle)
- Bucket policy(policy)
- Hotlink protection(referer)
- Tag (tagging)
- Static website(website)
- Bucket inventory(inventory)
- Versioning
- Cross-region Replication(replication)
- Log Management(logging)
- Bucket Encryption (encryption)
- Global Acceleration (Accelerate)
- Object APIs
- Batch Operation APIs
- SDK Documentation
- SDK Overview
- Android SDK
- C SDK
- C++ SDK
- .NET SDK
- Go SDK
- iOS SDK
- Java SDK
- JavaScript SDK
- Node.js SDK
- PHP SDK
- Python SDK
- Mini Program SDK
- Error Codes
- FAQs
- Service Level Agreement
- Glossary
Setting Cross-Origin Access
Overview
You can set Cross Origin Resource Sharing(CORS) for objects in buckets through the COS Console. COS supports configuring multiple rules to respond to OPTIONS requests. CORS is a mechanism that allows resources at one origin to be requested from another origin through HTTP requests. Origins are deemed different from each other as long as their protocols, domain names or ports are different.
COS supports response to OPTIONS requests for CORS, and returns specific rules set by developers to browsers, but the server does not verify whether subsequent cross-origin requests conform to the rules. For more information, see Cross-Origin Resource Sharing.
Procedure
Log in to the COS Console, and then select the Bucket List in the left pane to go to the Bucket List page. Click the bucket of the object for which you want to set CORS to enter the bucket.
Click Basic Configuration to go to the Basic Configuration page of the bucket, find CORS Settings, and click Add Rule.
Add rule information (Fields with * are required). Configuration items are as follows:
Source Origin: The domain names allowed for cross-origin requests.
- More than one domain name can be specified, with one domain name per line.
- Wildcard
*is supported, which means all domain names are allowed. Not recommended. - A single specific domain name is supported, such as
http://www.abc.com. - Second-level wildcard domain names are supported, such as
http://*.abc.com. Only one second-level wildcard domain name with only one*in it is allowed per line. - Do not omit protocol name HTTP or HTTPS, and specify the port if the port is not default 80.
Operating Methods: GET, PUT, POST, DELETE, and HEAD are supported. Enumeration of one or more methods is allowed for a cross-domain request.
Allow-Headers: Allow-Header is used to notify the server about which custom HTTP request headers are allowed for subsequent requests when an OPTIONS request is sent, such as x-cos-meta-md5.
- More than one header can be specified, with one header per line.
- Header is easy to be omitted, so it is recommended to set this field to
*to indicate that all headers are allowed if there is no special requirement. - Uppercase and lowercase letters [a-z, A-Z] are supported, and no underscores (
_) are allowed. - Each header specified in Access-Control-Request-Headers must also be provided in Allowed-Header.
Expose-Headers: Expose-Header returns a common header for COS. For more information, see the Common Request Headers. The configuration should be specific to the requirements of application. Etag is recommended. Wildcard is not allowed. Headers are case insensitive, with one header per line.
Timeout Max-Age: Sets the validity period (in seconds) of the results obtained by OPTIONS. The value must be a positive integer, such as 600.
After configuration, click Submit and you will see the CORS rules added. To modify it, click the Modify button.
Was this page helpful?